Menu
▾
▴
Re: [PHPiCalendar-DEV] security suggestions for publish.php
|
From: Wesley M. <we...@we...> - 2006-09-17 02:37:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jo, Coolness on the work you've done so far, which you sent in your previous email. :) I guess this is all a result of publish.php being something that was tacked on as a completely external feature. I guess if Jim thinks it makes sense to merge publish.php in as a real PHP iCalendar feature (giving it full-fledged status) then things like defining a log file location and auth realm in the config file makes sense. I don't think we should necessarily specify a specific publish.php log file directory with a .htaccess checked into SourceForge. We could default to /var/log/ and leave any sort of access controls or different destination directories up to the installer. I am wondering if the logmsg() function should be changed to not open/ close the file every single time. Later, Wes On Sep 16, 2006, at 4:54 PM, Jo Rhett wrote: > I think we need to make some changes to the publish system. > > Why: > > If you use the current system with external authentication, the ics > files > are protected by the same mechanism as the publish system. This isn't > always good -- what if I want to allow publish but not allow direct > access > to the ICS files? > > Likewise, if you are using the PHP authentication then the files > aren't > protected. (minus using a handler for .ics file access that fails) > > In short, I think that the following changes are reasonable and > flexible > enough for all situations: > > Put publish.php in publish/ directory. > -- an .htaccess file in that directory can control access > > Leave calenders in calendars/ directory. > -- an .htaccess file in that directory can control access > > I'd also like to introduce a configuration variable that would > control the > HTTP authentication realm, instead of having people edit > publish.php to > control this. Opinions? > > Lastly, I'd like to write the log file to a location which is *NOT* > accessible. Other files in the distribution fit this description. > How > about a new directory with a .htaccess file "deny from all" in it? > > -- > Jo Rhett > senior geek > SVcolo : Silicon Valley Colocation > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel - -- Wesley Miaw we...@we... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFDLTrQv4agqRAk2kRAiETAJ90nGGasSbBggABOT3pqpbUgbTopwCfZWYU zWwBywpjttjGhwJt0013FBM= =wJyK -----END PGP SIGNATURE----- |
